利用yum源安装sshd服务
客户端安装:openssh-clients.x86_64
服务端安装:openssh-server.x86_64
Openssh和sshd有区别吗?
两个是不同的概念,软件包名称叫openshh 开机的服务叫sshd
[root@server1 ~]# rpm -ql openssh ###查看安装的相关信息
/etc/ssh ###安装的主目录
/etc/ssh/moduli
/usr/bin/ssh-keygen
/usr/libexec/openssh
/usr/libexec/openssh/ctr-cavstest
/usr/libexec/openssh/ssh-keysign
[root@server1 kiosk]# cd /etc/ssh/
[root@server1 ssh]# ll
total 276
-rw-r--r--. 1 root root 242153 9月 7 2016 moduli
-rw-r--r--. 1 root root 2208 9月 7 2016 ssh_config ##客户端的配置文件
-rw-------. 1 root root 4361 9月 7 2016 sshd_config ##服务端的配置文件
[root@server1 ssh]# systemctl start sshd ##开启服务
[root@server1 ssh]# systemctl enable sshd ##一定设置成开机自启动
注意:在搭建开源服务的时候,一定要把服务设置成开机自启
[root@server1ssh]# systemctl status sshd ###查看服务状态
● sshd.service - OpenSSH server daemon
Loaded: loaded (/usr/lib/systemd/system/sshd.service; enabled; vendor preset: enabled)
Active: active (running) since 四 2019-10-24 11:20:35 CST; 1h 20min ago
Docs: man:sshd(8)
man:sshd_config(5)
Linux 7 系统下查看各服务的状态。
[root@server1 ~]# systemctl list-unit-files | grep sshd
sshd-keygen.service static
sshd.service enabled ##开机自启动
[email protected] static
sshd.socket disabled
附加: 在6的系统下,查看服务的状态命令是chkconfig --list
实战操作:
环境:server1 (172.25.2.1)为服务端 server2(172.25.2.2)为客户端
[root@server2 ~]# ssh [email protected]
The authenticity of host '172.25.2.1 (172.25.2.1)' can't be established.
ECDSA key fingerprint is 0a:e9:f9:09:98:14:7c:73:5c:7c:f2:1b:cf:f5:d7:8b.
Are you sure you want to continue connecting (yes/no)? ##第一次在连接的时候会进行一个密钥指纹的认证,在今后的连接中就不会载此显示了
输入yes然后提示输入密码
[email protected]'s password:
Last login: Thu Oct 24 12:28:36 2019 from foundation60.ilt.exmaple.com
[root@server1 ~]#
输入密码之后发现已经成功的登陆server1主机
重点:sshd服务的调优和防暴力破解
在配置文件中,发现很多行开头有#号
但是#开头可配置项中间没有空格的表示默认值 生效
但是#开头可配置项中间有空格的表示注释 不生效
[root@server1 ~]# vim /etc/ssh/sshd_config ##查看服务器端的配置文件
17 #Port 22 ##ssd服务默认22端口
[root@server1 ~]# netstat -antlp | grep sshd
tcp 0 0 0.0.0.0:22 0.0.0.0:* LISTEN 882/sshd
tcp6 0 0 :::22 :::* LISTEN 882/sshd
在线上的服务中,通常情况下都要修改端口
17 Port 3389 ##修改为陌生端口3389
[root@server1 ~]# netstat -antlp | grep sshd
tcp 0 0 0.0.0.0:3389 0.0.0.0:* LISTEN 2598/sshd
tcp6 0 0 :::3389 :::*
此时在可客户端,如果你不知道端口,就无法进行远程连接了,需要使用-p参数指定端口进行连接
[root@server2 ~]# ssh [email protected]
ssh: connect to host 172.25.2.1 port 22: Connection refused
[root@server2 ~]# ssh [email protected] -p 3389
[email protected]'s password:
Last login: Thu Oct 24 13:05:19 2019 from foundation60.ilt.exmaple.com
[root@server1 ~]#
#ListenAddress 0.0.0.0
ListenAddress 0.0.0.0
设置sshd服务器绑定的IP 地址,0.0.0.0 表示侦听所有地址
一般公司的服务器至少有两张网卡,一张外网的,一张内网的
如果我只想让内网的服务器通过sshd服务连接者太服务器,那么我就见该网段指定成内网网段
这些都是密钥存储的文件,不要进行修改
HostKey /etc/ssh/ssh_host_rsa_key
#HostKey /etc/ssh/ssh_host_dsa_key
HostKey /etc/ssh/ssh_host_ecdsa_key
HostKey /etc/ssh/ssh_host_ed25519_key
#LoginGraceTime 2m ##最长等待登陆时间,默认2分钟
[root@server2 ~]# ssh [email protected]
[email protected]'s password: ##没有输入密码,此时就算等待登陆了时间,超过两分钟没有输入密码,则会退出
49 #PermitRootLogin yes ###是否使用运行root帐户进行登陆
PermitRootLogin no 此时表示不允许root帐户进行登陆
59 AuthorizedKeysFile .ssh/authorized_keys ##认证的key文件
78 PasswordAuthentication yes ###是否运用密码进行认证
登陆分为两种:密码登陆 密钥登陆
注意:一定要在做完密钥认证之后才能改为no,否则机器就失联了,无法连接上了。
118 #PrintMotd yes ##打印一个登陆信息
[root@server1 ~]# vim /etc/motd ###编辑文件
[root@server1 ~]# cat /etc/motd
WELCOME
此时在客户端进行远程连接时:
[root@server2 ~]# ssh [email protected]
[email protected]'s password:
Last login: Thu Oct 24 19:17:41 2019 from foundation60.ilt.exmaple.com
WELCOME ###登陆提示信息
[root@server1 ~]#
119 #PrintLastLog yes ##打印最后一次登陆的日志
Last login: Thu Oct 24 13:14:08 2019 from server2 ##最后一次登陆来自server2主机
在真实的生产环境下,有一天,在远程通过ssh远程登陆服务器的时候,发现最后一次登陆显示的ip来自你不认识的ip地址,一查发现是来自非洲的 美国的等等,那么有可能你的服务器就被黑了
使用密钥进行登陆
实验环境:server2免密登陆server1
1:在客户端使用ssh-keygen生成密钥
[root@server2 ~]# ssh-keygen
Generating public/private rsa key pair.
Enter file in which to save the key (/root/.ssh/id_rsa): ###密钥保存的路径,一般默认不进行修改
Enter passphrase (empty for no passphrase):
Enter same passphrase again:
Your identification has been saved in /root/.ssh/id_rsa. ###认证私钥存放的文件
Your public key has been saved in /root/.ssh/id_rsa.pub. ###认证公钥存放的文件
The key fingerprint is:
51:26:29:6e:88:b6:9f:0d:21:86:e7:7c:7b:c5:a9:10 root@server2
The key's randomart image is:
+--[ RSA 2048]----+
| ..o |
| . .+ |
| . . o .. |
|. * E o . |
| * o + .S. |
| + + + |
| o * o |
| + + |
| . |
+-----------------+
[root@server2 ~]# cd /root/.ssh/
id_rsa id_rsa.pub known_hosts
注意:在今后的生产环境中,设计到密钥的文件,尽量都设置称隐藏文件
2:将公钥传到服务器端
[root@server2 .ssh]# ssh-copy-id -i 172.25.2.1
/usr/bin/ssh-copy-id: INFO: attempting to log in with the new key(s), to filter out any that are already installed
/usr/bin/ssh-copy-id: INFO: 1 key(s) remain to be installed -- if you are prompted now it is to install the new keys
[email protected]'s password:
Number of key(s) added: 1
Now try logging into the machine, with: "ssh '172.25.2.1'"
and check to make sure that only the key(s) you wanted were added.
3:服务起端进行查看
[root@server1 ~]# cd /root/.ssh/
[root@server1 .ssh]# ls
authorized_keys ###该文件下的内容就是id_rsa.pub的内容,如果不使用ssh-copy-id -i 172.25.2.1命令,那么就直接将id_rsa.pub的内容复制粘贴到服务器端的authorized_keys文件下
注意:拷贝过来时一定要注意authorized_keys文件的权限,只能为600或700
[root@server1 .ssh]# ll
total 4
-rw------- 1 root root 394 10月 24 19:44 authorized_keys
4:此时发现可以进行免密登陆
[root@server2 ~]# ssh [email protected]
Last login: Thu Oct 24 19:24:37 2019 from server2
WELCOME
使用开源防护软件(fail2ban)保护sshd服务
官网地址:www.fail2ban.org
也可以直接使用yum源进行安装
1:取官网获取软件包
[root@server1 ~]# ls
docker fail2ban-0.8.14.tar.gz
2:解压压缩包到/usr/local/目录下
[root@server1 ~]# tar zxf fail2ban-0.8.14.tar.gz -C /usr/local/
[root@server1 ~]# cd /usr/local/
[root@server1 local]# ls
bin fail2ban-0.8.14 include lib64 sbin src
etc games lib libexec share
3:查看README.md文件 ,一般的开源软件都会有相关的说明文件
[root@server1 fail2ban-0.8.14]# vim README.md
To install, just do:
tar xvfj fail2ban-0.8.12.tar.bz2
cd fail2ban-0.8.12
python setup.py install
4:安装(基于python语言开发,要求python版本高于2.4)
[root@server1 fail2ban-0.8.14]# python -V ###查看python版本
Python 2.7.5
[root@server1 fail2ban-0.8.14]# python setup.py install
They are in /etc/fail2ban/. ###软件安装的主目录
5:进入目录,查看服务启动文件
[root@server1 fail2ban]# cd -
/usr/local/fail2ban-0.8.14
[root@server1 fail2ban-0.8.14]# ls
build DEVELOP fail2ban-testcases-all README.md THANKS
ChangeLog doc files README.Solaris TODO
client fail2ban-client FILTERS server
common fail2ban-regex kill-server setup.cfg
config fail2ban-server man setup.py
COPYING fail2ban-testcases MANIFEST testcases
[root@server1 fail2ban-0.8.14]# cd files/
[root@server1 files]# ls
bash-completion gen_badbots nagios
cacti gentoo-confd redhat-initd
fail2ban-logrotate gentoo-initd solaris-fail2ban.xml
fail2ban.service ipmasq-ZZZzzz_fail2ban.rul solaris-svc-fail2ban
fail2ban-tmpfiles.conf macosx-initd suse-initd
6:将启动脚本拷贝到系统启动的目录下面
[root@server1 files]# cp redhat-initd /etc/rc.d/init.d/fail2ban
拓展:目录下那么多文件,我怎么就知道 redhat-initd就是启动脚本呢
[root@server1 fail2ban-0.8.14]# grep chkconfig ./* -R --color ###服务的启动文件下一般都含有chkconfig 启动级别定义这样一个字段
./files/redhat-initd:# chkconfig: - 92 08
7:设置成开机自启
[root@server1 files]# chkconfig --add fail2ban
应用实例:ssh远程登陆5分钟内3次密码验证失败,禁止用户ip访问主机1小时,一小时后自动解除,用户可以重新登陆
sshd服务的日志文件:/var/log/secure
修改配置文件
96 enabled = true ###启用模块修改为true
97 filter = sshd
98 action = iptables[name=SSH, port=ssh, protocol=tcp]
99 sendmail-whois[name=SSH, [email protected], sender=fail2ban@ex ample.com, sendername="Fail2Ban"]
如果你想让服务器在被暴力破解时给你发邮件,就将这个改为自己的邮件[email protected],并且服务器上安装了sendmail服务,并且已经开启了。
100 logpath = /var/log/secure ###指定sshd服务的日子,因为该服务也是通过检测日志来进行判断的
101 maxretry = 3 ##最多连接次数
findtime = 3600 ##要求5分钟之内
bantime = 3600 ##禁止1个小时
8:重新启动服务
[root@server1 fail2ban]# systemctl restart fail2ban
[root@server1 fail2ban]# systemctl status fail2ban
● fail2ban.service - LSB: Start/Stop fail2ban
Loaded: loaded (/etc/rc.d/init.d/fail2ban; bad; vendor preset: disabled)
Active: active (running) since 四 2019-10-24 20:28:34 CST; 26min ago
Docs: man:systemd-sysv-generator(8)
[root@server1 fail2ban]# systemctl enable fail2ban
fail2ban.service is not a native service, redirecting to /sbin/chkconfig.
Executing /sbin/chkconfig fail2ban on ###已经加入到开机自启动列表中了
9:加了一个防火墙链
[root@server1 fail2ban]# iptables -nvL
Chain INPUT (policy ACCEPT 30 packets, 2100 bytes)
pkts bytes target prot opt in out source destination
30 2100 fail2ban-SSH tcp -- * * 0.0.0.0/0 0.0.0.0/0 tcp dpt:22
Chain FORWARD (policy ACCEPT 0 packets, 0 bytes)
pkts bytes target prot opt in out source destination
Chain OUTPUT (policy ACCEPT 17 packets, 1482 bytes)
pkts bytes target prot opt in out source destination
Chain fail2ban-SSH (1 references)
pkts bytes target prot opt in out source destination
30 2100 RETURN all -- * * 0.0.0.0/0 0.0.0.0/0
10:为了方便实验,我们删除服务端的免密认证文件
[root@server1 fail2ban]# cd /root/.ssh/
[root@server1 .ssh]# ls
authorized_keys
[root@server1 .ssh]# rm -rf authorized_keys
11:开始实验
[root@server2 ~]# ssh [email protected] ###发现在输入三次密码错误之后,就没有机会在进行登陆了
[email protected]'s password:
Permission denied, please try again.
[email protected]'s password:
Permission denied, please try again.
[email protected]'s password:
Permission denied (publickey,gssapi-keyex,gssapi-with-mic,password).
[root@server2 ~]# ssh [email protected]
ssh: connect to host 172.25.2.1 port 22: Connection refused
[root@server2 ~]#
12:服务端查看信息
[root@server1 .ssh]# fail2ban-client status ssh-iptables
Status for the jail: ssh-iptables
|- filter
| |- File list: /var/log/secure
| |- Currently failed: 0
| `- Total failed: 3
`- action
|- Currently banned: 1
| `- IP list: 172.25.2.2
`- Total banned: 1
[root@server1 log]# cat /var/log/secure ###查看日志
Oct 24 21:01:10 server1 sshd[3491]: pam_succeed_if(sshd:auth): requirement "uid >= 1000" not met by user "root"
Oct 24 21:01:11 server1 sshd[3491]: Failed password for root from 172.25.2.2 port 35200 ssh2
Oct 24 21:01:14 server1 sshd[3491]: pam_succeed_if(sshd:auth): requirement "uid >= 1000" not met by user "root"
Oct 24 21:01:16 server1 sshd[3491]: Failed password for root from 172.25.2.2 port 35200 ssh2
Oct 24 21:01:18 server1 sshd[3491]: pam_succeed_if(sshd:auth): requirement "uid >= 1000" not met by user "root"
Oct 24 21:01:20 server1 sshd[3491]: Failed password for root from 172.25.2.2 port 35200 ssh2
Oct 24 21:01:20 server1 sshd[3491]: Connection closed by 172.25.2.2 [preauth]
场景1:如果此时我想提前被ban的主机解除
因为该服务时通过检测/var/log/secure该日志来进行检测的,此时我们在只需要将该日志清空就可以了
[root@server1 log]# > /var/log/secure ###清空日志
[root@server1 log]# cat /var/log/secure
[root@server1 log]# systemctl restart fail2ban ##重起服务
[root@server2 ~]# ssh [email protected] ###此时被ban的主机就哟可以进行远程ssh连接了
[email protected]'s password:
Last failed login: Thu Oct 24 21:01:20 CST 2019 from server2 on ssh:notty
There were 3 failed login attempts since the last successful login.
Last login: Thu Oct 24 19:55:36 2019 from server2
WELCOME
场景2:fail2ban默认的是22,如果我们在之前的实验中将sshdfuwu的端口修改了,应该怎么办?
[root@server1 action.d]# cd /etc/fail2ban/
[root@server1 fail2ban]# vim jail.conf
98 action = iptables[name=SSH, port=ssh, protocol=tcp]
此处使用了服务代替默认的端口,如果我的服务为2222,那么我就指定port = 2222
[root@server1 action.d]# cd /etc/fail2ban/action.d
[root@server1 action.d]# vim iptables.conf
61 port = ssh
两处配置文件都要修改,新的端口才会生效
denyhosts 软件:
DenyHost是使用Python开发的,它通过监控系统日志文件(/var/log/secure),来分析是否存在对OpenSSH的暴力破解行为,如果发现暴力破解,则其从系统安全日志分析出来源IP地址,然后通过在/etc/hosts.deny文件中加入相应的条目来使TCP Warappers禁止该IP地址的后续连接尝试
pam 模块: linux系统自带的防止暴力破解sshd服务的模块 ###防护的安全性不是特别高,毕竟是张读用户的
2、通过pam 模块来防止暴力破解ssh
[root@server1 ~]# vim /etc/pam.d/sshd
在第一行下面添加一行:
auth required pam_tally2.so deny=3 unlock_time=600 even_deny_root root_unlock_time=1200
说明:尝试登陆失败超过3次,普通用户600秒解锁,root用户1200秒解锁
手动解除锁定:
查看某一用户错误登陆次数:
pam_tally –-user
例如,查看work用户的错误登陆次数:
pam_tally –-user work
清空某一用户错误登陆次数:
pam_tally –-user –-reset
例如,清空 work 用户的错误登陆次数,
pam_tally –-user work –-reset
sshd服务防暴力破解脚本
